Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
7 May. 2007
Summary
A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cerulean Studios Trillian Pro. Authentication is not required to exploit this vulnerability.
Vulnerable Systems:
* Trillian Pro version 3.1 build 121
The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging and Presence Protocol) messaging subsystem. Trillian locates nearby users through the '_presence' mDNS (multicast DNS) service on UDP port 5353. Once a user is registered through mDNS, messaging is accomplished via XMPP over TCP port 5298. Within plugins\rendezvous.dll the follow logic is applied to received messages:
The string length of the the supplied message is calculated and a heap buffer in the amount of length + 128 is allocated to store a copy of the message which is then passed through expatxml.xmlComposeString(), a function called with the following prototype:
The xmlComposeString() routine calls through to expatxml.19002420() which, among other things, HTML encodes the characters &, > and < as &, > and < respectively. This behavior can be seen in the following disassembly snippet:
As the originally calculated string length does not account for this string expansion, the following subsequent in-line memory copy operation within rendezvous.dll can trigger an exploitable memory corruption:
Note that binary data can be transmitted across the XMPP protocol via UTF-8 encoding.
Vendor Response:
Cerulean Studios has issued an update to correct this vulnerability. More details can be found at: http://blog.ceruleanstudios.com/
Disclosure Timeline:
2007.02.15 - Vulnerability reported to vendor
2007.05.02 - Digital Vaccine released to TippingPoint customers
2007.05.02 - Coordinated public release of advisory
